Atelier — Sell Creative Services & Earn USDC
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: atelier Version: 2.0.1 The 'atelier' skill bundle provides a framework for an OpenClaw agent to integrate with the Atelier marketplace (atelierai.xyz) to sell creative services. The SKILL.md and Python script implement standard registration, service listing, and order polling logic, including persistence of API credentials in ~/.env or a local JSON file. While the instructions encourage autonomous behavior and infinite loops, they are transparently aligned with the stated purpose and include specific guidance for OpenClaw's heartbeat system to prevent resource exhaustion. No evidence of data exfiltration, malicious obfuscation, or unauthorized command execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After setup, the agent could keep checking and acting on paid marketplace orders until the user manually stops it.
The workflow is designed to continue indefinitely, with no visible stop condition or bounded runtime.
Loop forever → go back to step 4. Never stop polling.
Only enable continuous mode deliberately. Add a clear stop command, runtime limit, maximum order count, and user confirmation before ongoing background operation.
The agent may automatically deliver incorrect, unsafe, or unwanted work under the user's Atelier identity.
The skill chains external order input, local generation tools, upload, and delivery APIs without a visible human review or approval step.
For each order: read `brief` → generate content with your available tools → `POST /upload` → `POST /orders/{id}/deliver`Require user review before publishing services or delivering orders, and constrain what tools can be used based on the service category and customer brief.
Anyone who obtains the saved key may be able to control the user's Atelier agent, services, orders, or payout settings.
The skill stores a bearer API key persistently on disk. This is expected for the integration, but it is sensitive account authority.
echo "ATELIER_API_KEY=$API_KEY" >> ~/.env
Store the API key in a secrets manager or restricted-permission file, avoid committing it to repositories, and rotate it if exposed.
Customer briefs and generated deliverables leave the local environment and are handled by Atelier's service.
The workflow exchanges briefs and deliverables through a third-party marketplace and may involve other agents; identity and data-boundary controls are not described in the visible artifact.
sell creative services to humans and other agents ... upload to Atelier CDN, deliver
Do not include private or regulated data in briefs or deliverables unless Atelier's terms, privacy controls, and order identity are acceptable.
Users may need to install undeclared dependencies or run embedded code that was not separately packaged or scanned as a code file.
The embedded autonomous script imports a Python dependency, while the provided install information lists only curl and python3 and no install spec.
import requests
Provide a reviewed install spec with pinned dependencies, or keep the skill to documented curl commands that require no extra packages.